updatedb on Redhat

become user 'nobody' via updatedb (or root on a really old distro of RedHat) (local)

Vulnerable Systems:

Redhat Linux (presumably 5.0) is very vulnerable due to updatedb calling sort regularly, many other systems (such as Solaris) have an insecure sort. Also FreeBSD 2.2.2 is apparently vulnerable to the same updatedb problem.

Date:

28 February 1998

Notes:

Dave Goldsmith may have found this first, although I cannot currently access his website for more info.

Details

Date: Sat, 28 Feb 1998 17:32:21 +0100
From: viinikala <kala@DRAGON.CZ>
To: BUGTRAQ@NETSPACE.ORG
Subject: x11amp playlist bug
hi,
x11 audio mpeg player (x11amp) version 0.65, when installed setuid root
(as suggested by the README file), creates playlist files in ~/.x11amp
while making 'root' the owner of these plaintext files (instead of the
proper user). unfortunatelly, the program DOES follow symlinks, and
overwriting for instance /etc/shadow is therefore trivial:
mkdir ~/.x11amp
ln -s /etc/shadow ~/.x11amp/ekl
now run x11amp, get into the playlist menu, select 'ekl', mark all the
entries and hit 'delete'. no matter if the prg crashes (it might),
/etc/shadow is gone, anyway.
viinikala/rvl&grif <kala@dragon.cz>
i could wrap you up in cotton wool.
Date: Mon, 2 Mar 1998 15:16:41 -0500
From: Kragen <kragen@POBOX.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: overwrite any file with updatedb
On Sun, 1 Mar 1998, Cain wrote:
> in /tmp called sort0<pid>000{1,2,etc}. Each is around 512k. The
On SunOS 5.5.1, the filenames are of the form /var/tmp/stmAAAa003M_aa,
and the files are typically smaller.
The M_ part, at least, appears to change from run to run, but it
doesn't change within a run.
Solaris 5.5.1 sort doesn't check for symlinks before it opens the file;
I have successfully overwritten a file in my home dir this way.
This is similar to the gcc bug.
Kragen

More
Exploits!

The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:

This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: